Are Password Managers Still Safe?Password managers are often considered to be the holy grail of consumer cybersecurity, allowing us to fight password fatigue and effortlessly create strong passwords for all of our accounts. We’ve encouraged readers to use password managers multiple times before, but do password managers have any weaknesses? And if they do, would they still be worth using? In this post, we’re covering a story from February regarding a security audit of five of the most popular password managers and the implications of its findings for consumers.

What exactly are password managers?

Briefly, password managers are programs that allow for the creation and storage of a multitude of passwords. The idea is that such programs can both generate complex passwords and safely store them for future use. By creating a single “master password” that is required before your other stored data can be accessed, you can put these robust, autogenerated passwords under lock and key. Password managers are among all cybersecurity experts’ recommended tools because the alternative for most users relies on shortcuts that result in poorly constructed passwords being reused across multiple sites.

What did security researchers discover about password managers?

On Feb. 19, researchers associated with the cybersecurity firm Independent Security Evaluators (ISE) released a report titled “Password Managers: Under the Hood of Secrets Management.” The study covered what ISE considered a security vulnerability present in some big-name password managers running on Windows 10 systems. The password managers specifically examined were 1Password 7, 1Password 4, Dashlane, KeePass and LastPass, all of which had a system memory flaw that revealed the contents of active or recently used programs. In a technical sense, the password managers don’t share the exact same vulnerability, but ISE identified flaws in how each handles stored passwords and master passwords while these programs are running in a “locked” state. ISE demonstrated that, in theory, someone reading the memory of a Windows 10 machine with a password manager running in a locked state could, to varying degrees depending on the program, view stored passwords and/or master passwords. For a more technical analysis of each individual program’s flaws, you can view the complete study here.

Why does this matter?

As groundbreaking as these memory flaws sound, for the most part, it’s business as usual for consumers because everyone, even ISE, agrees that password managers are still the best protection against hackers in nearly all circumstances. The hacks that ISE conducted require that a system either already be severely compromised or that a person has given someone physical access to their device. Some experts, including a few from some of the companies whose password managers were tested, have used this to insinuate that these vulnerabilities aren’t as significant as ISE has indicated, with only LastPass taking steps to address them. The research firm has countered that, although the vulnerabilities are not likely to have been exploited, framing them as unlikely to ever happen is reminiscent of past eras of technology security, which relied heavily on security by obscurity. For example, ISE’s FAQ notes that since friends and family share machines all the time, this issue is less obscure than one would think.

That said, the security firm points out that systems and networks can be hardened to protect against some types of physical access (especially in corporate environments) making the memory scraping vulnerabilities they’ve detailed potentially the weakest links in cyberattack scenarios involving physical device access. ISE also uses the existing anti-keylogging protections most password managers already have to suggest that developers currently understand the need to mitigate data capture and malware-based attacks at various phases of a program’s use. Elsewhere, ISE lead researcher Adrian Bednarek has pointed to RoboForm, another password manager, which has successfully addressed this issue. He’s also suggested a potential fix for these vulnerabilities that could apply to most password mangers. LastPass and RoboForm plan to look into these vulnerabilities, but it’s unclear if the other password managers will give this issue another look.

Does this mean password managers aren’t safe to use?

While ISE might be right to bring attention to these vulnerabilities, it’s worth stating again that they aren’t likely to affect the average consumer any time soon, given the amount of effort it would take for hackers to deploy such attacks widely. Most hackers attack “low-hanging fruit” en masse, like poorly secured databases or individuals who reuse passwords across sites. Still, even with the greatest precautions in place, with enough time any security arrangement can prove to be hackable. But, as Washington Post columnist Geoffrey A. Fowler points out in his article on the ISE study, the point of cybersecurity isn’t to be unhackable. Both he and Bednarek indicate that it’s feasible in the distant future, assuming password manager adoption continues rising, for these unlikely exploits to become more commonly abused. Even so, they and other security experts believe that there are a number of things users can do to stay safe.

How can I improve my security?

Even assuming the worst-case scenario of your passwords being compromised by these exploits, something highly unlikely, there are things you can do right now to limit the damage any hacker can do.

Make yourself a smaller target. For many of today’s hackers, what they do isn’t personal, it’s just a matter of finding the most accessible targets. You might be practicing several habits that could be increasing your susceptibility to cyberattacks. Some examples include keeping old accounts open, reusing passwords, holding on to older devices or rushing out to buy new smart devices. All of these behaviors increase what security researchers call an attack surface and unintentionally make you a bigger target for hackers. You should take the time to assess your cybersecurity practices in order to make yourself less vulnerable to hacks.

Use two-factor authentication (2FA). Alongside password mangers, 2FA is also seen as a mandatory part of good cybersecurity for anyone who’s serious about staying safe online, and for good reason. 2FA means that even if your password is compromised (your first login factor), without a second one — be it a code sent to your cell phone, a security dongle or an app — no one can enter your accounts. For the strongest 2FA settings, consider using an app- or hardware-based solution. Want to learn more? Our guide to 2FA details everything you need to know.

Keep devices and services up to date. Updating your software is key to fighting against emerging security threats that you couldn’t possibly hope to anticipate on your own. That’s because device updates often include patches for known security vulnerabilities. With regard to this particular set of vulnerabilities, it’s possible that Windows could issue an update to address how the contents of programs like password managers behave in system memory.

Learn everything you can about phishing/social engineering. Because exploits like the ones detailed in ISE’s study requires physical access or deep system access granted through powerful malware, it’s very likely that methods such as duping a user into either handing over their device or installing malware on their system are going to be the ways hackers use them (assuming any of them are possible under real-world conditions in the future). As such, you’ll want to be on the lookout for phishing attacks via email and text. You should also understand that scammers target consumers using social engineering to trick them into thinking a phishing email or scam is legitimate. If you don’t already know, it may also be beneficial for you to understand the psychology and breakdown of when and how scammers manipulate victims, as it will help you determine if you’re ever being scammed.

Staying safe online is important to protecting your sensitive personal and financial information. Keep reading our cybersecurity blog to learn more of the tips you need to stay safe.